[WestNab]

I have this problem using 10.5.8 WGM as well. Thanks for the posts, hopefully they’ll help …

[WestNab]

Steven,
Absolutely no problem, I take full responsibility! Anyhow, it seems I’ve got to a situation where users can log in again & have time to go round rebinding the clients (about 40, so could be worse!). On the whole I’m pleased with the outcome, I don’t think I would have found an easier way to fix.
Andy

[WestNab]

The first attempt at unbinding the xserve resulted in the whole machine hanging – couldn’t get back into Finder to Force Quit from Directory Utility, so I had to power cycle the xserve.
For the next attempt, I disabled Active Directory in Directory Utility > Services before editing the Active Directory item and unbinding from AD. This went ahead smoothly. I rebooted, checked that the xserve no longer was in AD, then bound it in again. On binding to AD, it put up a message “Join Kerberos realm. To join this server to the Active Directory Kerberos realm, open Server Admin and select Open Directory for this server. In the Settings pane, click General, then click Join Kerberos and enter credentials for a local administrator on this server”.
With hindsight, perhaps I should have just ignored this!
In Server Admin > Open Directory > Settings > General
⁃ Join Kerberos is not available – ‘Add Kerberos Record’ is available, Kerberos is already running.
I probably shouldn’t have done what I now did, which was to trash my existing OD and recreate new one by changing my xserve from OD Master (‘Connected to a directory server’) and then change it back again!
(In between, I did have a ‘Join Kerberos’ button, but when I tried it, nothing happened – maybe because I’d entered wrong settings?)
I can now recreate my user groups in WGM, which have as members groups from AD.
I now find I have to rebind all my Macs to the xserve because of the new OD and also unbind and rebind to AD before user login works – but it does!
Of course, I will also have to recreate preferences for my workstations and user groups …

[WestNab]

Steven,

I’ve checked out the xserve and although Directory Utility says everything is fine, Workgroup Manager doesn’t seem to be accessing AD at all. I had included a couple of AD groups as members of OD groups, but these are now marked as ‘Not Found’ in Workgroup Manager. If I try to add members to the OD group from AD, ‘All domains’ or ‘x.y.z.uk’ are available and can be selected, but no items appear in the side panel.

Any idea of the best step now? My first thought is to unbind the xserve from the domain, wait a bit, reboot maybe, and rebind …

Andy

[WestNab]

Just found a workround/fix – on a machine that didn’t log users in – disable the option to get home directory from AD – teststudent then logs in.

Home directory is set in AD to home folder on an xserve via afp.

For some reason teststudent can not connect (using command-K) to this home directory any more using AD credentials – even from a machine where login still works and option to get home directory from AD is still enabled! Presumably other student accounts can’t either.

I’ve found on machines where login works, I’ve got ‘Force local home directory on startup disc’ enabled, as well as use the AD home directory – it seems the former takes precedence and the fact that the AD home dir is inaccessible doesn’t prevent login if the local home is used.

So progress made, but I don’t understand entirely … I will have a more thorough check of settings on the xserve. Presumably something wrong there.

[WestNab]

Steven,

Sorry, forgot to add this info – as far as I know, the machines that now don’t login were working from October last year until sometime this spring.

We did change domain controllers (from older 2003 servers to 2008 servers) in April. All machines are apparently configured correctly with the new AD DCs, but perhaps something is lingering from the old DCs?

[WestNab]

Thanks for your response. I am not aware of AD requirements for computers to re-authenticate? Where & how is that configured? I evidently don’t fully understand AD. I thought that the process of joining the domain created a ‘shared secret’ (RID or something?) that the computer then always used to authenticate itself in the domain.

As mentioned previously, leaving the domain and rebinding doesn’t seem to fix the problem.

The machine is called, for example, machine5. FQDN is, for example, machine5.x.y.z.uk – this is correct in DNS, i.e. name can be resolved correctly. This is the same on machines where login works. The domain is called ‘x’, but it’s FQDN is x.y.z.uk. Search domain in network preferences is set to x.y.z.uk on all machines.

[WestNab]

Thanks for your reply. No, I can’t id teststudent AD account, which can’t login.

If I login with a local account, I can command-K, authenticate as teststudent and mount Windows shares fine.

Andy

[Author]

Posts